Main Vulnerability Database SB2019073111

SB2019073111 - Information disclosure in Google Kubernetes Engine plugin for Jenkins

Published: July 31, 2019 Updated: October 22, 2019

Security Bulletin ID SB2019073111

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2019-10365)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin creates a temporary file named ".kube…config" containing a temporary access token in the project workspace. A remote authenticated user with Job/Read permission can access the file via workspace browsers, or accidentally archived, disclosing the token.

Remediation

Install update from vendor's website.

References

https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1345